Stop generating certificate requests for disabled networks

The certificate requests created based on ApacheNetworks require fqdn_NETWORK to be set.
The will only be defined for the networks that are enabled for the current role.

Currently requests are generated for all networks. This happens to work for the Controller role
as all networks are enabled. However it fails on DCN compute nodes that are not on the external
network (they use apache for local glance-api services).

Change-Id: I05ba5fb48c617a5bbedebb8b74c23bec9abf3bbd
This commit is contained in:
Oliver Walsh 2022-05-04 21:10:00 +01:00
parent d9fabc20ed
commit 4e3d900942

View File

@ -72,10 +72,13 @@ resources:
# NOTE(xek) Get unique network names to create certificates.
# We skip the tenant and management network (vip != false)
# since we don't generate certificates for those.
{%- for role in roles %}
{{ role.name }}:
- ctlplane
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
{%- for network in networks if network.name in role.networks and network.enabled|default(true) and network.vip|default(false) %}
- {{network.name_lower}}
{%- endfor %}
{%- endfor %}
outputs:
role_data:
@ -119,7 +122,7 @@ outputs:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
metadata_settings:
if:
- {get_param: EnableInternalTLS}
@ -129,7 +132,7 @@ outputs:
network: $NETWORK
type: node
for_each:
$NETWORK: {get_attr: [ApacheNetworks, value]}
$NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
upgrade_tasks: []
deploy_steps_tasks:
- name: Certificate generation
@ -167,4 +170,4 @@ outputs:
- {get_param: CertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}